kaiten | d2e2fd9bcb3ba0416e9f057c3b09c8470d51634fc6ab0414611ba27ac7e98e2d

General

Target

inst
Size

732B
MD5

56a30205ea23a457ff2af18a76cd521c
SHA1

a2007725d6a3e6b2a1b6dfed6a9a735ac66a7606
SHA256

d1469b9971ed7346f21104b2044feb538a5206e55bdbc60b641c9d8ca11ab851
SHA512

7f44fbe568895c25fc63577aad7c5b1208226a42949e71a770b10a7f780ebe431d69182600fe190da6444554b29397168e6b51b815b1161febe5b8fe7269073b

Score

10^/10

kaiten botnet persistence

Malware Config

Signatures

Detects Kaiten/Tsunami Payload 4 IoCs

Processes:

resource	yara_rule
/tmp/ccpMlAX1.s	family_kaiten2
/tmp/ccgtz5MD.o	family_kaiten2
/tmp/httpds	family_kaiten2
/etc/-lib/httpds	family_kaiten2

Detects Kaiten/Tsunami payload 3 IoCs

Processes:

resource	yara_rule
/tmp/ccgtz5MD.o	family_kaiten
/tmp/httpds	family_kaiten
/etc/-lib/httpds	family_kaiten

Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.xAMhjs crontab

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.xAMhjs	crontab

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

mkdircrontabcrontabcpid

description	ioc	process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	id

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

gcccollect2ldasinstcc1

description	ioc	process
File opened for modification	/tmp/cciJHHnO.res	gcc
File opened for modification	/tmp/ccK4DIRO.o	collect2
File opened for modification	/tmp/httpds	ld
File opened for modification	/tmp/saveds
File opened for modification	/tmp/ccpMlAX1.s	gcc
File opened for modification	/tmp/ccgtz5MD.o	as
File opened for modification	/tmp/ccoZFwtu.c	collect2
File opened for modification	/tmp/ccgNr2c8.ld	collect2
File opened for modification	/tmp/ccykhoer.le	collect2
File opened for modification	/tmp/saveds	inst
File opened for modification	/tmp/ccpMlAX1.s	cc1
File opened for modification	/tmp/ccgtz5MD.o	gcc

/tmp/inst
/tmp/inst
1⤵
- Writes file to tmp directory
PID:704

/usr/bin/id
id -u
2⤵
- Reads runtime system information
PID:706

/bin/mkdir
mkdir /etc/-lib
2⤵
- Reads runtime system information
PID:709

/bin/chmod
chmod u+x /etc/-lib/httpd
2⤵
PID:712

/usr/bin/chattr
chattr +ais /etc/-lib/httpd
2⤵
PID:716

/usr/bin/crontab
crontab -l
2⤵
- Reads runtime system information
PID:717

/bin/grep
grep -vi /etc/-lib/httpd
2⤵
PID:718

/usr/bin/crontab
crontab saveds
2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:719

/bin/rm
rm -rf saveds
2⤵
PID:722

/usr/bin/gcc
gcc httpds.c -o httpds
2⤵
- Writes file to tmp directory
PID:723

/usr/lib/gcc/mips-linux-gnu/6/cc1
/usr/lib/gcc/mips-linux-gnu/6/cc1 -quiet -imultiarch mips-linux-gnu httpds.c -meb -quiet -dumpbase httpds.c "-march=mips32r2" -mfpxx -mllsc -mno-lxc1-sxc1 -mips32r2 "-mabi=32" -auxbase httpds -o /tmp/ccpMlAX1.s
3⤵
- Writes file to tmp directory
PID:725

/usr/local/sbin/as
as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
3⤵
PID:737

/usr/local/bin/as
as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
3⤵
PID:737

/usr/sbin/as
as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
3⤵
PID:737

/usr/bin/as
as -EB -mips32r2 -O1 -no-mdebug "-mabi=32" "-march=mips32r2" -mfpxx -KPIC -o /tmp/ccgtz5MD.o /tmp/ccpMlAX1.s
3⤵
- Writes file to tmp directory
PID:737

/usr/lib/gcc/mips-linux-gnu/6/collect2
/usr/lib/gcc/mips-linux-gnu/6/collect2 -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cciJHHnO.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32btsmip -pie -o httpds /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/Scrt1.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/ccgtz5MD.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
3⤵
- Writes file to tmp directory
PID:741

/usr/bin/ld
/usr/bin/ld -plugin /usr/lib/gcc/mips-linux-gnu/6/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/mips-linux-gnu/6/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cciJHHnO.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "--sysroot=/" --build-id --eh-frame-hdr -EB -mips32r2 -dynamic-linker /lib/ld.so.1 -melf32btsmip -pie -o httpds /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/Scrt1.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crti.o /usr/lib/gcc/mips-linux-gnu/6/crtbeginS.o -L/usr/lib/gcc/mips-linux-gnu/6 -L/usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu -L/usr/lib/gcc/mips-linux-gnu/6/../../../../lib -L/lib/mips-linux-gnu -L/lib/../lib -L/usr/lib/mips-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/mips-linux-gnu/6/../../.. /tmp/ccgtz5MD.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/mips-linux-gnu/6/crtendS.o /usr/lib/gcc/mips-linux-gnu/6/../../../mips-linux-gnu/crtn.o
4⤵
- Writes file to tmp directory
PID:743

/bin/cp
cp httpds /etc/-lib/
2⤵
- Reads runtime system information
PID:748

/bin/chmod
chmod u+x /etc/-lib/httpds
2⤵
PID:750

/usr/bin/chattr
chattr +ais /etc/-lib/httpds
2⤵
PID:751

/bin/rm
rm -rf ./httpds ./httpds.c ./inst
2⤵
PID:753

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/-lib/httpd
Filesize
163B

MD5
f74bebdcbf28f62cbca5043ccd4e3771

SHA1
398f13629a640ec98b2f3ee67cdc22b3eb5b487b

SHA256
cef7615f1d3fa6421a00ec39346bcca19c9cd3d777153e982c9237b46c9ddbaa

SHA512
de6b896fdc40bff0c2f3557490719ba4c0bf100d7ac15769a9afbf8bbf2dbcbb791c7b261a4e5bd8c9dc89a7b222d78d2abe1c8236e8adf663a95f28efd22b68

Download Submit
/etc/-lib/httpds
Filesize
42KB

MD5
7b3111c3c2d4993d722db781de3cb1d9

SHA1
335a487d1b887283798cd003017113bf216ac588

SHA256
c3224cf64cc6e14241d22c3a3366a1f1922996e05c5d4574913d6a504387599c

SHA512
1ce406d7c76f9f3b89acbd9a10bf7c0a0aaf853db0bc8502f4f4fce58e50bd06234788082397124bcc1b214a9c9b39ba4b04ffa64a95baefd75ebdb1188207fc

Download Submit
/tmp/ccgtz5MD.o
Filesize
41KB

MD5
3f951602190fda23b8b2100b6b6db8ac

SHA1
6d7d5c8fdd3f55b5b6947d7e884c0129a0d8f221

SHA256
83857d36aa5f37d5edb6f9a3bf3d52e381bfb51e005450b008aca51097531963

SHA512
2c557de95c970b54a8c5593c954f6ccb65b1739d68a46d692f5b2f6ce2bd9b2f47fc4e8a4f3d2e8f33980e449235dfa71d7523b02b7bf34127c9574a566b0e77

Download Submit
/tmp/ccpMlAX1.s
Filesize
20KB

MD5
0a97127c20716877b46f68066c7bdeb6

SHA1
14a42bab8c8a684425921738ccd288b84c62e419

SHA256
133f86ab61197813c02171d517e5075aa290c75ab4d1ce4070f5bdeea6b56777

SHA512
db214fa5555b4b2c28c918e01880fc1db2431c710e333fb0bb5c12c2f160a179ecbedc79e041ff5ac86936c575f781c2b9c956a3dce26da25d734d6f8bab2af7

Download Submit
/tmp/httpds
Filesize
42KB

MD5
df6fe4da9a26c180a114c7ea5369b05b

SHA1
83afc0474313ec6fcd226e4d477fd91fe8fdeec3

SHA256
6ac846b9abe9c5463939f045f165be78b8de37e89799bc2b621a55330752f7b7

SHA512
b0f179b99fc4f8140c76d992414b4f6e47198cb1ef1f5e08166ad495fc7ed0cc54ea4e3a45d8fddb7b6a1956c8fd1f38deaeae0fe1539574be4b1851abfec239

Download Submit
/tmp/saveds
Filesize
42B

MD5
6c8eb055c0fd33626d89304ea6591bd0

SHA1
d51eb12a8891939217e1e867ba114ddfe940b9ed

SHA256
4212867a0307d9fcc05f966ae12f5280bb2b6f70c39b2d533663ad76a1c5aaf8

SHA512
a9d702ccb477fe1ddda484a05bf0150025e979855c03b200e4d62048d23780f256595917767071a62e961e9a926875724031a411597f2d788798d58bd9f78321

Download Submit
/var/spool/cron/crontabs/tmp.xAMhjs
Filesize
222B

MD5
7393b95578462d3a30ff3e4bd8d1bfc7

SHA1
aac7e4545076b4e6b4f87ff057269705434461e3

SHA256
0a85f0d828a55d5c103396b77b7438c1655edc4bfaf6d5590a7b477ab092191d

SHA512
95a03c2d3a334e50907c22e647ebe92778a94c20e074f114372f673f43b7988548bf8ec71a111ac26a770db28b814308ef65df0a19615eb54637a921166ea303

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads